#dev 2021-05-10
2021-05-10 UTC
samwilson, [jeremycherfas], ytqb[m], vilhalmer and ShadowKyogre joined the channel; ShadowKyogre left the channel
# @AndreJaenisch ↩️ Wait.
hentry?
WebMention support?
Or only microformats? (Which would be great on its own)
To answer the question: IndieWeb! (twitter.com/_/status/1391650750493827073)
ShadowKyogre, [KevinMarks], samwilson, [dianoetic_net], [jeremycherfas], shoesNsocks and sparseMatrix joined the channel
# sparseMatrix so what's the best OAUTH2 provider library for doing microformat stuffs with python?
# sparseMatrix I'm looking at AuthLib
# sparseMatrix errr, Authlib
# sparseMatrix I'm wondering if maybe I could just integrate something like this into my environment: https://github.com/bbc/nmos-auth-server
# sparseMatrix it's based on Authlib
# sparseMatrix I have done the JWT thing before, but not necessarily via an OATH workflow
# sparseMatrix I had some phone-home devices I set up 'dialing up' the mothership for purposes of accessing an api
# @omc345 I finally set it up Webmentions with the help of @jkup's awesome post and repository. It's time to make it count!
https://jonkuperman.com/gatsby-webmentions/ (twitter.com/_/status/1391776752477802497)
jeremych_, [jacky] and [KevinMarks] joined the channel
# [KevinMarks] this is interesting https://locus.plus/
[tantek] joined the channel
# [KevinMarks] a pushback against what3words, which is full of flaws
shoesNsocks and tomlarkworthy joined the channel
# tomlarkworthy Is the backlink from Github profile strictly necissary to login someone?
# tomlarkworthy If I am user https://tom.com/ with a rel=me link to https://github/tom. Then to login as https://tom.com/ I can just take https://tom.coms word?
# tomlarkworthy like if the github authenticates the nominated profile user then thats basically the same as having an indie_auth link to the github oauth endpoint
# tomlarkworthy its not an attack. I can create not-tom.example.com and have an authorization_endpoint that auto logins in for anybody, then we are in the same position, real tom is logged into the app as not-tom.example.com after being tricked
# tomlarkworthy critically I am not logged into the app as tom.example.com. Also the indielogin.com does summerize what is about to happen for this kind of reasons anyway
# tomlarkworthy an indieauth endpoint does not require backlinks, it clearly is not totally necissary, though there is obvious value to having bidirection trust as its symettric, but for the puposes of login you only need it one way really.
# tomlarkworthy I am jsut trying to simplify things and the fact github only allows one homepage is annoying
# tomlarkworthy 2 of 2 users I have so far talked to had an incompatible homepage already intheir github profile, so I think in practice this gets in the way, especially as Github only allows one link.
# tomlarkworthy but yeah, good workaround with profile scanning
# tomlarkworthy yeah this was the case for me
# tomlarkworthy yeah its good. Thats why I am here :)
# tomlarkworthy but not having backlinks for silo oauth providers is even easier.
# tomlarkworthy I don;t see a great reason for the backlinks here
# [KevinMarks] locus.plus does need js as it's calling the location api, though it may barf if you're not in the uk when it does the grid conversion
# tomlarkworthy BTW I ban http homepages becuase of MITM risks so Tantek's would not work with auth server.
# tomlarkworthy this was 1 reason why I could not accept 1 of my users homepage
# tomlarkworthy you can;t trust a http site so in my mind it is not a suitable substrate for login
# [KevinMarks] is there an MITM risk from your server side? That's usually only a significant issue for client side
# tomlarkworthy well it really depends where the user's webpage is hosted.
# tomlarkworthy several governements are known to MITM their citizens
# tomlarkworthy just seems strange to put so much faith in DNS and then not secure the comms to those named servers with https
# tomlarkworthy yeah I guess the main vector is coffee shop wifi attacks but this is not an issue with server-to-server verification
# tomlarkworthy sorry my auth server does not accept http
# tomlarkworthy oh funny I clicked your name here and it directs to http version of your site
# tomlarkworthy I can't find evidence of SSL being broken (without installing custom certs or throwing errors in the browser)
# tomlarkworthy yeah thats a custom cert.
# tomlarkworthy it does they have to use a corporate issued device that is not theirs
# tomlarkworthy thats an action
# tomlarkworthy "https://chat.indieweb.org/"
# tomlarkworthy kevinmarks too goes to http
# tomlarkworthy aaronpk goes to https
# aaronpk i mean it's just pulling from https://indieweb.org/chat-names
# tomlarkworthy HSTS headers?
# tomlarkworthy yeah the actual link is "http://aaronparecki.com/"
# tomlarkworthy yeah it is going to http for aaronpk
# tomlarkworthy yes there was some complex upgrade logic I decided not to prot and jsut accept only https
# tomlarkworthy not to port
[dianoetic_net] and [tw2113_Slack_] joined the channel
# tomlarkworthy oh that was indeiauth.com sorry. Some InsecureRedirectErrors
# tomlarkworthy 'indielogin.com will handle the case of users entering a insecure HTTP URI and "upgrading"/redirecting it to a HTTPS one; IIRC. It's been an issue mentioned before in here.' Maybe old though
sparseMatrix joined the channel
# sparseMatrix I've been reading the (propsed) spec here: https://www.w3.org/TR/indieauth/#authentication for most of the day. If this is the working spec, it does say that http should be upgraded to https by the client
# sparseMatrix It's also fairly permissive of redirects
# aaronpk This one is more up to date https://indieauth.spec.indieweb.org/
# sparseMatrix and document URI, vs strictly canonical domains, e.g., 'https://someplace.com/joe.user/joes-hcard.html'
# sparseMatrix cool, I'll switch over to that @aaronpk
# sparseMatrix and thanks :D
[KevinMarks] joined the channel
# [KevinMarks] I've done it with jinja2, but that isn't naturally xml compliant
# [KevinMarks] See what granary uses
[snarfed] joined the channel
# [snarfed] granary uses https://feedgen.kiesow.be/ . it’s…fine
[girrodocus] and [dianoetic_net] joined the channel
# [dianoetic_net] I have webmentions displaying 💃
# [dianoetic_net] Have we got anything for sending to Bridgy using GitHub actions? Or will I have to get scripty
[Jeremy_Keith] joined the channel
samwilson and [chrisaldrich] joined the channel
# [dianoetic_net] Thanks! I'll have to find a way to grab the right URL to send I suppose.
# [dianoetic_net] I guess I could IFTTT but somehow that feels like admitting defeat...